---
description: Configure permission rules in Hasura
keywords:
  - hasura
  - docs
  - permissions
  - rules
sidebar_position: 40
---

import Thumbnail from '@site/src/components/Thumbnail';

# Configuring Permission Rules

## Introduction

Permissions in Hasura are defined with table, role and operation (_insert, update, select, delete_) level granularity:

<Thumbnail src='/img/auth/permission-rule-granularity_2.16.1.png' alt='Defining permissions in Hasura' width='1000px' />

Requests to the Hasura GraphQL Engine should contain the [reserved session variable](/auth/authentication/index.mdx)
`X-Hasura-Role` (or `X-Hasura-Allowed-Roles` and `X-Hasura-Default-Role`) to indicate the requesting user's role.
The table and operation information is inferred from the request itself. This information is then used to determine
the right permission rule to be applied (_if one has been defined_) to the incoming request.

Hasura converts incoming GraphQL requests into a single SQL query which includes constraints derived from the
permission rules that is executed on the configured database instance.

Permissions are essentially a combination of **boolean expressions** and **column selections** that impose constraints
on the data being returned or modified.

Let's take a look at the different configuration options available to define a permission rule. Permission rules
can be defined in the Console or the [metadata APIs for permissions](/api-reference/metadata-api/permission.mdx).

## Operation permissions

### **Select** permissions

For `select` operations or for GraphQL queries, you can configure the following:

- [Row permissions](/auth/authorization/permissions/row-level-permissions.mdx)
- [Column permissions](/auth/authorization/permissions/column-level-permissions.mdx)
- [Aggregation permissions](/auth/authorization/permissions/aggregation-permissions.mdx)
- [Row fetch limit](/auth/authorization/permissions/row-fetch-limit.mdx)
- [Root field visibility](/auth/authorization/permissions/disabling-root-fields.mdx)

### **Insert** permissions

For `insert` operations or for GraphQL mutations of the type _insert_, you can configure the following:

- [Row permissions](/auth/authorization/permissions/row-level-permissions.mdx)
- [Column permissions](/auth/authorization/permissions/column-level-permissions.mdx)
- [Column presets](/auth/authorization/permissions/column-presets.mdx)
- [Backend-only mutations](/auth/authorization/permissions/backend-only.mdx)

### **Update** permissions

For `update` operations or for GraphQL mutations of the type _update_, you can configure the following:

[//]: # (TODO pre and post update checks)
- [Row permissions](/auth/authorization/permissions/row-level-permissions.mdx) including Pre and Post update checks
- [Column permissions](/auth/authorization/permissions/column-level-permissions.mdx)
- [Column presets](/auth/authorization/permissions/column-presets.mdx)
- [Backend-only mutations](/auth/authorization/permissions/backend-only.mdx)

### **Delete** permissions

For `delete` operations or for GraphQL mutations of the type _delete_, you can configure the following:

- [Row permissions](/auth/authorization/permissions/row-level-permissions.mdx)
- [Backend-only mutations](/auth/authorization/permissions/backend-only.mdx)


